Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
When moving a normal minimal install of Red Hat Enterprise Linux 8 to FIPS mode compliant using:
# update-crypto-policies --set FIPS
# fips-mode-setup --enable
and then rebooting the server according to instructions from update-crypto-policies/fips-mode-setup the server hangs and a power cycle is required to get the server to boot up again.
Can only replicate issue on fresh install of RHEL8 Snap2 though. CANNOT replicate by switching back and forth between FIPS and DEFAULT, like such:
# fips-mode-setup --disable
# update-crypto-policies --set DEFAULT
# reboot
# fips-mode-setup --enable
# update-crypto-policies --set FIPS
# reboot
Expected results:
Server should boot without hang
Additional info:
There is no need to explicitly call update-crypto-policies --set FIPS or update-crypto-policies --set DEFAULT.
The command prints warning to not do that even.
The fips-mode-setup --enable and fips-mode-setup --disable implicitly changes the crypto policy to FIPS and back to DEFAULT.
As for the hang - I think this is just continuous manifestation of the "too low entropy in kernel" during boot. We made multiple workarounds how to improve the situation however apparently the problem still happens sometimes.
To further debug it is crucial to find out at which stage during the boot the boot hangs.
Hi Tomaz,
>> Also we need to know the exact details of the machine - is it virtual or real hw, does it have rdrand, ...
I tested the mentioned steps on my VirtualBox VM.
Not sure about rdrand here but.
>> Did you test anything newer than Snapshot 2?
By snapshot 2, you mean the latest RHEL8 release right? If yes, I'll do that soon and update you with my observation soon.
Hi Tomaz,
>> Did you test anything newer than Snapshot 2?
I believe you are talking about the Snapshot 2 mentioned in below link -
http://download.eng.pnq.redhat.com/pub/rhel/rel-eng/
I'm not really sure how to use the same as I can't see direct ISO for this. Can you please confirm what's your observation with Snapshot 2? Will be great if you can mention how to use the snapshot as well here.
Hi,
I am facing the similar issue in Aws Rhel8 image. As per audit requirement we asked to enable this fips-mode-setup --enable . AFter enabling and rebooting the AWS Redhat 8 ec2 vm the system doesn't come up. Even we have tried with 2 to 3 different AWS account and different location. it is same after reboot not coming up. Since AWS doesn;t have console option we couldn;t see where it got stuck. Does any one come across and fix this?